How to use Openvpn & ipfw in a jail so it only connects to the VPN

[Bageland2000]

"Now copy over your openvpn config file (usually your VPN service provider will supply this) make sure to name it openvpn.conf"

Can you elaborate on how to do this? Do I need to use a CIFS share to get the file on the NAS?
Also, any idea how to do this with a Private Internet Access VPN service? I can DL an OpenVPN file, but I only get the ovpn files for all the different locations and a .crt file and a .pem file.

Thanks for helping a noob!

 

[Ryan Beall]

"Now copy over your openvpn config file (usually your VPN service provider will supply this) make sure to name it openvpn.conf"

Can you elaborate on how to do this? Do I need to use a CIFS share to get the file on the NAS?
Also, any idea how to do this with a Private Internet Access VPN service? I can DL an OpenVPN file, but I only get the ovpn files for all the different locations and a .crt file and a .pem file.

Thanks for helping a noob!

Yeah, I transfer it to a folder shared via CIFS and then assuming you have the same folder in your jail's storage folder you can just use the cp command to transfer it to where you need.

Just choose the .conf file for the location you want to use then rename it to openvpn.conf. Keep the others on hand if you need to switch.

 

[Bageland2000]

So I can't get this to work because PIA doesn't provide the .key file. I think all the necessary data is in the .opvn file. Is there a way to get this configured to just use the .opvn file without checking for a .key file?

 

[MaIakai]

So I can't get this to work because PIA doesn't provide the .key file. I think all the necessary data is in the .opvn file. Is there a way to get this configured to just use the .opvn file without checking for a .key file?

Cat the opvn file, the certs might be inside of it (It is for me with SlickVPN)


Anyone know why my TUN interface isn't started. in rc.conf I have openvpn_if="tun",

But with that it's still not working. Openvpn starts just fine, but nothing is using my vpn tunnel. Firewall is diabled for now as SlickVPN doesn't provide ip pool.

in openvpn.conf
dev tun
persist-tun


Logs :

openvpn.log :
Sun Aug 31 19:05:49 2014 OpenVPN 2.3.4 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 31 2014
Sun Aug 31 19:05:49 2014 Socket Buffers: R=[42080->65536] S=[9216->65536]
Sun Aug 31 19:05:49 2014 UDPv4 link local: [undef]
Sun Aug 31 19:05:49 2014 UDPv4 link remote: [AF_INET] NOT_MY_IP:8080

openvpn_status.log:
OpenVPN STATISTICS
Updated,Sun Aug 31 19:05:49 2014
TUN/TAP read bytes,0
TUN/TAP write bytes,0
TCP/UDP read bytes,0
TCP/UDP write bytes,0
Auth read bytes,0
END

From the looks of openvpn.log it IS connecting successfully and grabbing an IP that is different from my ISP. Yet still how do I funnel traffic through it?

 

[Bageland2000]

Sorry guys, I'm too much of a noob to understand how to cat something. Can anyone help me with the baby steps? I have virtually no experience with command line interface or security key theory :(

 

[Bageland2000]

I don't want to just have to keep asking questions here. One of the reasons I got this hardware was to learn. Can someone point me to a good resource for learning commands/Unix? I'd really like to develop my skills. Thanks!

 

[mrME]

I don't want to just have to keep asking questions here. One of the reasons I got this hardware was to learn. Can someone point me to a good resource for learning commands/Unix? I'd really like to develop my skills. Thanks!

Just do alot of searches...lol. Thats how I learned. Plus everyone here on these forums are really helpful. Just dont give up.

 

[Bageland2000]

Got it. For reference, here's what I'm currently using to learn the <basics: http://linuxcommand.org/learning_the_shell.php#contents>

 

[Bageland2000]

OK, I've been learning a lot of this and have an issue. What I try to start Openvpn it tells me "failed to start openvpn"

Also, I'm moving my ca.crt and crl.pem file to ./etc/openvpn/keys. I'll verify they're there, them later I'll do an ls and there's nothing in the keys folder.

Lastly, my Shell in FreeNAS seems to keep crashing..

 

[Bageland2000]

I moved the other files from ./openvpn/keys to ./openvpn and I'm getting more success. Only two problems are I set the PIA ipfw rules for US Florida.ovpn and I set the pass.txt. Everythings working, but I still need to manually authenticate user/pass and my pings will go out even with the VPN stopped..

 

[Toast]

Im going to use airvpn also. I just dont know what options to select in their config generator. Jerry, do you have a template that I could use? There are a lot of advanced options too.

 

[Toast]

Ok. I think I got it! My issue was that when I copied the ca.crt and other files over to ....../openvpn/keys, the config file didnt know to look in that folder. I think. So i just copied them into where the config file was, which was just the /openvpn folder itself. Also before this I set all of the transmission jail storage's to chmod -R 777. That was something that I skipped over from the initial setup from a different guide. Not sure if that helped. I have some questions:

1. When Im using transmission it says port is closed. It works and still downloads. Should I port forward something? Should I have put the port number next to the ip addresses in the ipfw config file?

2. Is there a way to check for dns leak? Some sort of command or anything?

3. I noticed you said you used a config file without resolved hosts. I grabbed one from airvpn with resolved hosts and used it. Should I get one without resolved hosts? What difference would that make?

Thank you for your guide and everyones input

 

[CrunchyMetal]

This is awesome, thanks all for lots of great help that got a noob like me up and running with openvpn and PIA. Been struggling with this for the past few days. One questions I have is now that I have this working, I can no longer remote access transmission. Is there any way to be able to securely do this and maintain openvpn?

 

[richardb]

Hey all, thanks for the great guide. Very nicely written. I have everything up and running with an AirVPN connection, except...

When I try pinging Google with openvpn stopped, I still get through. That takes about 30ms.
When I turn openvpn on, the ping still goes through, but it takes 190ms.

So, I assume that the traffic is being routed over the openvpn/airvpn connection when openvpn is on. That's fine.
I am concerned about the IP traffic not being blocked when openvpn is stopped, though: that means it is leaking and ipfw isn't blocking it.

Any ideas what is wrong with my config? My ipfw_rules are as follows:

add 01000 allow log udp from 192.168.0.0/16 to 208.67.222.222 dst-port 53 keep-state
add 01002 allow log udp from 192.168.0.0/16 to 10.4.0.1 dst-port 53 keep-state
add 01004 allow log udp from 192.168.0.0/16 to 208.67.220.220 dst-port 53 keep-state
add 01006 allow ip from 192.168.0.0/16 to 196.168.0.0/16 keep-state
add 02000 allow ip from 192.168.0.0/16 to MYAIRVPNIP keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any

(where MYAIRVPNIP is the AirVPN gateway from the config file)
Any thoughts?

 

[hunter]

I'm not sure anything is wrong because the ping is neither tcp nor udp, so the config written won't apply to your ping requests. A better test would be to stop the vpn then see if Web browsing or any other services dependent on tcp will work.

Sent from my Nexus 7 using Tapatalk

 

[EscapeVelocit3y]

My FreeNas is on 192.168.0.100/24.

What should my firewall script look like? My router is on 192.168.0.1. I keep getting Permission Denied error when VPN is On or Off during pinging google.

My Transmission jail is on 192.168.0.6.

add 01000 allow log udp from 192.168.0.0/24 to 208.67.222.222 dst-port 53 keep-state
add 01002 allow log udp from 192.168.0.0/24 to 10.4.0.1 dst-port 53 keep-state
add 01004 allow log udp from 192.168.0.0/24 to 208.67.220.220 dst-port 53 keep-state
add 01006 allow ip from 192.168.0.0/24 to 192.168.0.0/24 keep-state
add 02000 allow ip from 192.168.0.0/24 to AirVPN keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any

 

[Goobz]

Hi guys.

Thanks for this great thread! It has been really helpful.

My apologies, I only started to learn this stuff a few months back when I built my freenas box so bear with me if I've overlooked something glaringly obvious!

I am totally stuck at starting the openvpn service. I have been over the steps and each of the files about 5 times and cant find anthing wrong however I coninually get this:

Code:

[root@transmission_1 /]# service openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn 

I initially used pkg to install the openvpn files and got the above error, but since I am using PIA I removed it and installed it using the method outlined by Zettadox & markFL by compiling it from the ports. However I still get the exact same error.

As suggested the ca.crt, openvpn.conf & login.conf are in the openvpn folder together(no keys folder). I've tried both absolute and relative paths in the openvpn.conf to the ca.crt and login.conf files and removing the link to login.conf all together to no avail.

I also ran

Code:

chmod -R 777 /usr/local/etc/openvpn

to try and rule out a permissions issue.

Is there a log or something somewhere that can fill me in on why this is happening or what my issue might be?

Any help appreciated guys!

Thanks!

EDIT: I opened the IPMI console to see what if could shed any light on the situation. Truth be told I had it open for something else and noticed the messages lol.

I tried to restart the jail and these errors came up:

and subsequently upon running

Code:

service openvpn start 

this message came up. (Run 3 times)

Hopefully that might help?

Thanks again!

 

[maereax]

I wanted to use Openvpn with my Transmission plugin but didn't want any of my other network traffic to go through the VPN. Additionally, I didn't want Transmission to access the internet except through the VPN. This "how-to" assumes you have a VPN service you're connecting to and have downloaded the config file, certs and user keys.

It was rather easy; here's how:

Once you've installed the Transmission plugin, have the jail running and storage attached, ssh into your jail

Code:

jls

to list the jails, then

Code:

jexec N tcsh

where "N" is equal to your jail number.

Now you'll need to add packages, I prefer to use bash rather than tcsh and nano over vi. Make sure to use not to use pkg_add

Code:

[root@transmission_1 /]# pkg install bash
[root@transmission_1 /]# pkg install nano
[root@transmission_1 /]# pkg install openvpn

Next time you enter the jail you can use:

Code:

jexec N bash

For now we'll just drop into the bash shell

Code:

[root@transmission_1 /]# bash

Next we need to create the directory for the config file and certs and keys for Openvpn

Code:

[root@transmission_1 /]# mkdir /usr/local/etc/openvpn
[root@transmission_1 /]# mkdir /usr/local/etc/openvpn/keys

Next you need to add the lines to the rc.conf so openvpn and ipfw starts when the jail starts. go to the /etc directory and fire up nano

Code:

[root@transmission_1 /]# cd /etc

[root@transmission_1 /etc]# nano rc.conf

Note: to save files in nano Ctrl+o will write the file and Ctrl+x will exit.

Once you've got the rc.conf file opened in nano add the following lines:

Code:

firewall_enable="YES"

firewall_type="/media/ipfw_rules"

openvpn_enable="YES"

openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Note that "firewall_type=" tells ipfw where the rules are to be loaded so make sure change the path to reflect where you are storing the file with the rules.
Now copy over your openvpn config file (usually your VPN service provider will supply this) make sure to name it openvpn.conf.

Code:

[root@transmission_1 /]# cp /media/VPNproviderfile.ovpn /usr/local/etc/openvpn/openvpn.conf

Double check the paths to the location of the keys and certs listed in the config file match where you will be placing them (/usr/local/etc/openvpn/keys).

Then copy over the certs and keys

Code:

[root@transmission_1 /]# cp /media/ca.crt /usr/local/etc/openvpn/keys/ca.crt
[root@transmission_1 /]# cp /media/user.crt /usr/local/etc/openvpn/keys/user.crt
[root@transmission_1 /]# cp /media/user.key /usr/local/etc/openvpn/keys/user.key
[root@transmission_1 /]# cp /media/ta.key /usr/local/etc/openvpn/keys/ta.key

Now let's fire it up and see if it works:

Code:

[root@transmission_1 /]# /usr/local/etc/rc.d/openvpn start

If it works you should see

Code:

Starting openvpn.
[root@transmission_1 /]#

Assuming that is all working now it's time to setup the the firewall to only allow connections to your VPN service. ipfw is already installed in the jail so the main trick is getting the IP addresses of your VPN service provider. I use AirVPN and when you generate the config file you can specify them to resolve the hosts and it will list all of the IP addresses. You will also need the IP addresses for your DNS servers. I use a combo of OpenDNS and the AirVPN DNS. I put the firewall rules in my attached storage so I can easily change them if needed. Note that my FreeNAS server and gateway are in the 192.168.0.0/16 range so you'll need to adjust the firewall rule reflect the IP addresses that you have established on your network.

Code:

[root@transmission_1 /etc]# cd /media
[root@transmission_1 /media]# nano ipfw_rules

The first set of rules allow access to the DNS servers

Code:

add 01000 allow log udp from 192.168.0.0/16 to 208.67.222.222 dst-port 53 keep-$
add 01002 allow log udp from 192.168.0.0/16 to 10.4.0.1 dst-port 53 keep-state
add 01004 allow log udp from 192.168.0.0/16 to 208.67.220.220 dst-port 53 keep-$

The next rule allows access on my local network to and from the jail:

Code:

add 01006 allow ip from 192.168.0.0/16 to 196.168.0.0/16 keep-state

The next set allow access to the ip addresses provided by your VPN service provider. You'll need to add as many as you are given:

Code:

add 02000 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02004 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02008 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02012 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02014 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02016 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state

Please note that each of the above lines end with "keep-state" but the forum website sometimes shortens them to "keep-$" (see MarchHare's post below).
And the last group allow access to local loop and deny everything else. the 10.0.0.0/8 is for AirVPN, you'll need to find out the ip range for your provider (I found this info in their forums)

Code:

add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any

All of these go into the ipfw_rules, I just broke them down to explain their function.

Now fire up ipfw

Code:

[root@transmission_1 /etc]# /etc/rc.d/ipfw start

Test by pinging www.google.com then stop your vpn

Code:

[root@transmission_1 /etc]# usr/local/etc/rc.d/openvpn stop

If it is setup correctly you will get the following with the vpn off:

Code:

[root@transmission_1 /etc]# ping www.google.com
PING www.google.com (74.125.225.82): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- www.google.com ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
[root@transmission_1 /etc]#

The final test is to make sure your work survives a reboot, so turn the jail off from the Freenas GUI and start it up again. Then ssh back into your jail and verify openvpn is running and the firewall rules are loaded:

Code:

[root@transmission_1 /etc]# ipfw list

Thanks to all of the folks who have posted on the AirVPN and Freenas forums, I just pulled all of the info together.

Cheers

So I'm loving what you're doing here because it's exactly what I need, however I'm stuck. You set up a location for the file openvpn.conf and I can't seem to find it. I've found the openvpn config examples but I have no idea how to configure them for what i need. I'm trying to use privateinternetaccess but I'm not completely fixed on that decision. Any thoughts?

edit: I figured it out. The download files PIA gives you are for windows systems. Simply renaming them to .conf fixes the problem.

 

[unca_NAS]

Hello all

Thanks for the excellent guide. Some problems tho:
Couple of days I noticed that the openvpn-service wasnt running. When starting it from within jail, it starts but dies within 5 seconds.

Completely destroyed the jail, created new with transmission. At initial start-up everything workin fine. When stopping-starting jail no ipfw or openvpn. Again, openvpn can be started manually but it dies within seconds.

If some kind soul is willing to help me to troubleshoot this issue, what info should I provide?

 

[unca_NAS]

EDIT2:

Seems that I have bad entry on IPFW rules, now tun0 is working. Also port-forwarding is now ok. Had to let AirVPN generate custom port, added that to router + ipfw-rules and transmission client

:)

however - transmission-daemon cannot see any trackers: "could not connect to tracker".

Added some tracker-ports (80, 6969 etc) to ipfw-bypass rules, no cigar.
Can this be solved somehow?

SOLUTION:
Mentioned trackers are public - and known to block vpn-connections. Dayum.